POL-U3000.01 Identifying, Detecting and Responding to Identity Theft Red Flags and Notices of Address Discrepancies

1. The purpose of the university’s Identity Theft Prevention Program is to detect, prevent and mitigate fraud attempts via identity theft in connection with the opening of a covered account or any existing covered account by:
   1. Identifying relevant financial processing red flags for covered accounts signaling possible fraud attempt via identity theft and incorporating those red flags into the program;
   2. Establishing procedures to detect red flags that have been incorporated into the program; and
   3. Responding appropriately to any red flags that are detected to prevent and mitigate identity theft related to financial transactions.
2. The WWU Technology Security Incident Response Program provides mechanisms to:
   1. Bring critical strategic personnel on campus together.
   2. Determine the extent of the risk and violation.
   3. Designate the proper action.
3. The Financial Information Security Program provides mechanisms to:
   1. Identify and assess the risk factors related to covered accounts;
   2. Develop written procedures to manage and control these risks and carry out the activities described in (A) above;
   3. Train appropriate staff in the program activities; and
   4. Adjust the plan to reflect the University’s experiences with identity theft, changes in methods of identity theft or methods to detect, prevent and mitigate identity theft, and changes related to the offering or managing of covered accounts.

This program will be a component of the overall campus-wide Information Technology (IT) Security Plan. The IT Security Plan will be administered by the WWU Chief Information Officer. The IT Security Plan will prevail if a conflict arises.

The CIO, in consultation with the Vice President for Business and Financial Affairs, appoints the university’s Identity Theft Prevention Program Coordinator and authorizes the activities necessary for the Coordinator to implement and maintain the program. This Red Flag program will be reviewed for compliance with the IT Security Plan by the CIO.

The CIO will appoint managers from relevant university departments to serve on the Oversight Committee. These departments may include, but are not limited to, Student Financial Services, Financial Aid, Administrative Computing Services, Internal Audit, and Business and Financial Affairs Internal Control Officer.

All possible identity theft instances will be reported to the CIO. The CIO will call the Security Incident Response Team together for review and designated action per the IT Security Plan.

At least annually, or more frequently if an elevated level of risk so warrants, the Identity Theft Prevention Coordinator will present a written report of material program matters to the Board of Trustees Audit Committee, Vice President for Business and Financial Affairs, the CIO, the Security Incident Response Team, and the Oversight Committee. The report will include:

• The activities of the program;
• The effectiveness of the program in addressing the risk of identity theft;
• Service provider arrangements; and
• Significant incidents involving identity theft and management’s response.

The Contract Administrator ensures that any covered account service provider bid documents and any subsequent contract negotiated includes the requirement for compliance with the FTC’s Red Flag Rules.

The Coordinator, in conjunction with the Oversight Committee, will periodically review and adjust the Identity Theft Prevention Program to reflect changes in risks to customers or to the safety and soundness of the university from identity theft.